|Summary:||sys-cluster/crmsh: privilege escalation (CVE-2020-35459)|
|Product:||Gentoo Security||Reporter:||John Helmert III <ajak>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description John Helmert III 2021-01-13 22:19:32 UTC
CVE-2020-35459 (http://www.openwall.com/lists/oss-security/2021/01/12/3): An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges. Maintainers, I can't find a patch applied to crmsh in Git, so please confirm if a newer release fixes this issue. There's also a patch at URL which might work if not.
Comment 1 Ultrabug 2021-02-08 09:26:46 UTC
I dropped the older versions, only 4.2.1 is left in tree ! Thanks
Comment 2 Ultrabug 2021-02-08 09:29:18 UTC
hmm on a second read, it seems that "through" 4.2.1 means that it's also affected right? There's no higher release yet.
Comment 3 Zdravko Spoljar 2021-02-10 02:31:37 UTC
# crm node status Fatal error: No module named 'parallax' in version 4.2.1. ?